SO10 HSCN Inbound Internet Connectivity Guidelines for CNSPs and Consumers

Internet connectivity provided over HSCN is by default outbound only. Translated this means that the connection is initiated by the HSCN Consumer to a service on the Internet as opposed to a connection that is initiated by a client or service on the Internet that terminates within a HSCN Consumer’s organisation.

All Internet connectivity that is provided over HSCN traverses the Secure Boundary solution before being forwarded to the Internet. Secure Boundary is a high performance, highly available, Internet content filtering, malware protection and access control solution that whilst transparent improves the overall Internet security for HSCN consumers. Secure Boundary filters outbound internet traffic and blocks all inbound internet traffic by default.

The Health and Social Care Network (HSCN) Obligations Framework includes, where requested, the facility for Consumers to receive service connections initiated from the Internet. For example, if a Consumer organisation is to receive application support remotely from an external service provider, via the Internet, then they can request that their Consumer Network Service Provider (CNSP) facilitates the inbound Internet connection.

HSCN Obligation SO10

“HSCN Suppliers shall provide access to HSCN Consumer's Business Application Services or other services, for example websites, from the internet - on request from the HSCN Consumer and after verifying that the HSCN Consumer has completed an HSCN Connection Agreement that includes their provision of external services.” 

HSCN Obligation SO10a

“HSCN Suppliers shall ensure that attacks on the Internet IP addresses of HSCN Consumer Business Application Services, or other services, available through the Internet Gateway do not disrupt the provision of outbound internet services across the Internet Gateway or the availability of the wider HSCN service.”

The HSCN Secure Boundary is a perimeter security solution that protects against security threats. It is primarily designed to filter outbound traffic and protect against malware, phishing, and other online threats. Inbound Internet traffic is not filtered by the HSCN Secure Boundary, but can be provided directly from the CNSP's.

HSCN obligation SO10 states that HSCN Suppliers must provide access to HSCN Consumer's Business Application Services or other services, such as websites, from the internet, on request from the HSCN Consumer. However, obligation SO10 does not prescribe specific security countermeasures for inbound Internet traffic. 

It is strongly recommended that organisations consider the security risks and suggested risk mitigations identified by the National Cyber Security Centre (NCSC) and NHS England's Data Security Centre. Inbound Internet service provision over HSCN should also comply with relevant NCSC guidance.

Overall, the HSCN Secure Boundary is a valuable tool for protecting HSCN networks from outbound threats, but it is not designed to filter inbound traffic. Organisations should implement additional security measures to protect inbound traffic, such as firewalls, intrusion detection systems, and web filtering solutions.

NCSC has recognised that networks need to be protected against a number of key risks, particularly relevant to Inbound Internet connections and Patient Identifiable Data (PID), including:

• exploitation of systems – the compromise of systems that perform critical functions, affecting the organisation’s ability to deliver essential services or resulting in severe loss of customer or user confidence
• compromise of Information – the unauthorised access of systems hosting sensitive information directly or allowing an attacker to intercept poorly protected information whilst in transit
• import and export of malware - implementing appropriate security controls preventing the import and export of malware
• Denial of Service - internet-facing networks may be vulnerable to Denial of Service attacks, where access to services are denied to legitimate users or customers
• damage or defacing of corporate resources – a successful compromise may result in the attacker further damaging systems and information harming the organisations reputation and customer confidence

1. CNSPs who intend to provide HSCN Consumers with inbound internet connectivity are advised to review the following guidance material:

• Cyber Threat Alliance - Securing edge devices 
• National Cyber Security Centre - UK Internet edge router devices
• National Cyber Security Centre - Denial of Service (DoS) guidance

2. The access/traffic shall be limited to the consumer organisation/site, specific services, ports and protocols required.

3. CNSPs must be able to provide evidence of the Consumer’s formal acceptance of the Inbound Internet service and that they understand and accept the key risks associated with an Inbound Internet service.

Consumers who process Patient Identifiable Data (PID) and are considering deploying an Inbound Internet connection must first carry out a data security and protection self-assessment using the NHS Digital Toolkit.

CNSPs who are providing an HSCN Consumer with an inbound Internet connect must check that the Consumer has completed the data security and protection self-assessment prior to the Inbound Internet connection going live.

HSCN Consumers are advised to review the following guidance: 

• NHS England - Data Security and Protection Toolkit assessment guides

• NCSC - Mitigating malware and ransomware attacks 

• NCSC  - Vulnerability management

• NCSC  - Device security guidance 

HSCN Consumers intending to deploy inbound internet connectivity should have created a 'Network Security Policy'. A template policy can be found here:

Network security guidance for health and care organisations

1. CNSPs shall ensure every organisation that wishes to use HSCN must complete an HSCN Connection Agreement.

2. CNSPs shall ensure all inbound internet connections are recorded in the HSCN Estate Data in accordance with HSCN CNSP Service Provider Management Requirement Addendum.

3. CNSPs shall generate network monitoring data for all inbound internet connections in accordance with HSCN Obligations Framework S01 Network Analysis.

4. CNSPs shall ensure all IP addresses allocated to the inbound internet connection are registered on the NHS England IPAM (HSCN IP Address Management)

5. CNSPs shall record the following information for each Inbound connection:

• HSCN Consumer organisation’s details
• external service provider / customer details
• source IP address(s), ports and protocols application or service details

6. CNSPs shall provide NHS England's Data Security Centre (DSC) the aforementioned information upon request.